Laporan TonBit: Laporan Penelitian Keamanan dan Pengamatan Panorama Ekosistem TON 2024
1. Perkenalan
This report is produced by TonBit, a sub-brand of Web3 blockchain security audit company BitsLab, and its partner TONX. With the continuous development and increasing application of blockchain technology, the TON ecosystem continues to show strong growth momentum in 2024, attracting the attention of a large number of developers, investors and users.
In 2024, the TON ecosystem continued to make significant progress in technological innovation, application implementation, and community building, further consolidating its position in the blockchain field. However, with the rapid development of the ecosystem, security issues have become increasingly prominent. In the face of evolving security threats, how to effectively prevent and respond has become an important issue for the TON ecosystem.
2. TON Ecosystem Overview
2.1 Introduction to TON Ecosystem
Basic Introduction and Architecture
TON (The Open Network) is a blockchain and digital communication protocol created by Telegram, aiming to build a fast, secure and scalable blockchain platform to provide users with decentralized applications and services. By combining blockchain technology and Telegrams communication capabilities, TON achieves high performance, high security and high scalability. It supports developers to build various decentralized applications and provides distributed storage solutions. Compared with traditional blockchain platforms, TON has faster processing speed and throughput, and adopts the Proof-of-Stake consensus mechanism.
2.2 Why choose TON
TON demonstrates unique advantages when competing with the strong liquidity and community of Bitcoin and Ethereum. The blockchain trilemma proposed by Vitalik Buterin describes the challenges faced by Layer 1 networks in balancing security, scalability, and efficiency. Bitcoin and Ethereum each have their own advantages and disadvantages, but TON overcomes many of these challenges through a flexible and shardable PoS architecture.
2.2.1 Flexible and shardable PoS architecture
TON uses a proof-of-stake consensus mechanism and achieves high performance and versatility through its Turing-complete smart contracts and asynchronous blockchain. TONs lightning-fast and low-cost transactions are supported by the chains flexible and shardable architecture. This architecture allows it to scale easily without losing performance. Dynamic sharding involves the initial development of separate shards with their own purposes that can run simultaneously and prevent large-scale backlogs. TON has a block time of 5 seconds and a finalization time of less than 6 seconds.
The existing infrastructure is divided into two main parts:
● Masterchain: Responsible for processing all important and critical data of the protocol, including the address of the validator and the amount of coins verified.
● Workchain: A secondary chain connected to the main chain, containing all transaction information and various smart contracts. Each workchain can have different rules.
2.2.2 Extended Use Cases and Advantages
The TON Foundation is a DAO operated by the TON core community, providing various support to projects in the TON ecosystem, including developer support and liquidity incentive programs. In 2024, the TON community has made significant progress in many aspects:
● Launch of TON Connect 2.0: provides an intuitive way to connect wallets and applications, improving user experience.
● TON Verifier: A smart contract checker created by the Orbs team that improves the reliability of contracts.
● Blueprint development tool: helps developers write, test and deploy smart contracts.
● Sandbox Developer Toolkit: for a variety of use cases from enterprise to government.
● Tact language Beta version: promotes a more powerful programming environment.
● TON Society Internationalization: International centers have been launched in multiple cities around the world.
● DeFi Liquidity Incentive Program: Provide funding for projects and promote the sustainability of the TON DeFi space.
2.3 Overview of TON development direction and goals in 2024
TON’s development roadmap contains many interesting initiatives, such as a stablecoin toolkit, sharding tools, and native bridges for BTC, ETH, and BNB.
● Gas-free transactions: TON may subsidize gas fees in certain cases to attract more users.
● Separation of verification nodes and packaging nodes: This is a major upgrade of TON’s scalability, and it plans to attract 500 million Telegram users by 2028.
● Voters and configuration contract updates: Allow users to vote on network proposals.
● TON Stablecoin Toolkit: allows anyone to issue algorithmic stablecoins pegged to local fiat currencies.
● Jetton Bridge: Allows users to send TON tokens to other chains.
● ETH, BNB, and BTC Bridge: Launch official bridges to introduce major cryptocurrencies to TON.
● Non-native tokens: Allow TON users to create native-like tokens.
3. Ecological development
3.1 Ecological Overview
The TON Foundations official website displays nearly 1,000 applications, covering a wide range of fields such as decentralized finance (DeFi), games, social media, and utility applications. Through these projects, the TON Foundation demonstrates its leading position in the field of blockchain technology and promotes the development of innovation and ecosystem.
3.2 TON Ecosystem Key Indicators
As of July 27, 2024, there are 383 validator nodes on the TON chain, with a total of more than 590 million staked $TON in 29 countries. The number of daily active addresses reached 373,000, a year-on-year increase of 5,360%. The DeFi ecosystem of the TON network has shown strong development momentum, with 1,784,089 unique users, a total locked value (TVL) of $706,307,873, and 26,297 liquidity providers.
3.3 How TON becomes a powerful decentralized gaming platform
3.3.1 The main reason for building a decentralized game based on TON
Developing decentralized games based on the TON blockchain offers a range of advantages to businesses and developers:
● Integration with Telegram: Provides access to over 900 million monthly active users.
● Powerful user acquisition and retention tools: including Telegram App Center and advertising tools.
● Fast and efficient blockchain: Processes over 100, 000 transactions per second, keeping fees low.
● Diverse monetization opportunities: such as in-app advertising and tradable non-fungible tokens.
● Simple and accessible: Provides a complete set of tools suitable for GameFi Web3 developers and players.
4. TON Ecosystem Security Research
4.1 How to do secure development on TON
In order to ensure the security of smart contracts, we need to take a series of security measures. The following are some key security practices of the TON ecosystem:
1. Access Control
Description: When there are some important logic or sensitive operations in the contract that need to be executed by specific authorized users, we should do a good job of access control to prevent attackers from performing sensitive operations and causing serious damage.
practice:
➢ Determine which operations require permission control.
➢ For operations that require permissions, access can be restricted by verifying the sender of the message.
➢ Regularly review and update access control policies to adapt to changes in contract requirements.
Specific proposals can be found at:
https://github.com/ton-blockchain/TEPs/pull/180
https://github.com/ton-blockchain/TEPs/pull/181
2. Verify message input
Description: Lack of proper validation or filtering of external inputs in smart contracts can allow malicious users or attackers to enter malicious data, which may lead to unsafe behavior or vulnerabilities.
practice:
➢ Perform strict validation and filtering on all external input, including validating data types, checking boundary conditions, and cleaning user input.
➢ Consider all possible input scenarios, including edge cases and unexpected input.
➢ Regularly audit and test input validation logic.
3. Check Gas Usage
Description: When processing internal messages, the sender usually needs to pay for gas usage. When processing external messages, the contract pays for gas usage. This means that you need to be careful about gas usage in external messages. You should always test your contracts gas usage to verify that everything is working as expected and to avoid vulnerabilities that could drain the contracts balance.
practice:
➢ Monitor and optimize Gas usage during development.
➢ Use Gas Limit to prevent high consumption operations.
➢ Regularly test the gas consumption of the contract in different scenarios.
4. Timestamp Dependency
Description: The behavior of some smart contracts depends on block timestamps, which may be manipulated by validators. For example, validators can selectively include or exclude certain transactions, or adjust timestamps to serve certain purposes. This behavior may cause the contract logic to be manipulated, posing security risks.
practice:
➢ Avoid relying directly on block timestamps for key logic judgments.
➢ If you must use timestamps, make sure to use a more reliable and uncontrolled method.
➢ Use a time buffer mechanism to allow time to vary within a certain range and reduce dependence on a single time point.
➢ Regularly review the contract logic to ensure it is not affected by timestamp manipulation.
5. Integer Overflow
Description: Integer overflow and underflow are operations on exponential values that exceed the range of the variable representation, resulting in incorrect calculation results. Integer overflow usually occurs in operations such as addition, subtraction, and multiplication. If not controlled, it may cause serious security issues such as incorrect balance calculation or unexpected fund transfer.
practice:
➢ Use a safe math library to handle integer operations.
➢ Add overflow checks before and after all math operations.
➢ Audit contract codes regularly to ensure that all integer operations are protected.
6. Rounding Error
Description: Rounding error risk refers to the error in the calculation results due to precision limitations or improper rounding methods in numerical operations. Especially when dealing with currency or high-precision numbers, rounding errors may lead to financial losses or unfair distribution.
practice:
➢ Use high-precision numeric libraries or fixed-point libraries to handle monetary operations.
➢ Regularly test and verify numerical operation logic to ensure that the accuracy meets expectations.
➢ Clearly mark the rounding method in the code to ensure consistency.
7. Denial of Service
Description: Denial of service risk refers to the consumption of computing resources of smart contracts or the triggering of error conditions, causing the contract to fail to execute normally or fall into endless operations. This may prevent legitimate users from interacting with the contract or even prevent the contract status from updating.
practice:
➢ Limit the number of loops or recursion depth to avoid long-running operations.
➢ Check the remaining Gas before key operations to avoid transaction failures due to insufficient Gas.
➢ Regularly review and optimize contract logic to ensure efficiency and reliability.
➢ Use event logs to record important operations for easy troubleshooting and recovery.
8. Business Logic
Description: Business logic vulnerabilities refer to design flaws or implementation errors in smart contracts when implementing their business processes, causing the contract to behave abnormally in certain situations. These vulnerabilities can be exploited by malicious users, resulting in serious consequences such as loss of funds, data tampering, or failure of contract functions. Business logic vulnerabilities are usually not coding errors, but misunderstandings or imperfect implementations of business requirements and processes.
practice:
➢ Deeply understand and analyze business requirements to ensure correct logical design.
➢ Regularly conduct code audits and logic verification to promptly discover and fix vulnerabilities.
➢ Write comprehensive test cases to cover all possible business scenarios.
Through the above security practices, we can greatly improve the security of smart contracts, reduce risks, and ensure the stable operation of contracts and the safety of users funds.
4.2 Review of TON Ecosystem Security Events
In 2024, several security incidents occurred in the TON ecosystem, revealing its security challenges. The following is a detailed description of some important incidents, analyzing the causes, impacts and solutions of the incidents, and an inventory of some typical security vulnerabilities.
1. The pledge contract of a certain protocol was attacked, resulting in a large amount of token loss
Date: May 22, 2024
Amount of loss: /
Root cause: parameter configuration error
describe:
After the staking event to celebrate the prosperity of the TON ecosystem, the staking contract of a certain protocol was hacked due to a misconfiguration of the protocol parameters, resulting in the theft of a large number of tokens in the contract. After the incident, the project immediately suspended the staking reward collection function and allocated a large amount of $USDT to repurchase the lost 307,264 tokens.
After the attack, the project quickly contacted TonBit for an audit. TonBit demonstrated its professionalism, responded quickly and mobilized a team of security experts to conduct a comprehensive and detailed security audit of the projects core code. TonBits security experts found 6 low-risk issues and immediately communicated in detail with the project team. With rich experience and professional technical capabilities, TonBit not only provided specific solutions to the problems, but also assisted the team to quickly complete the repair of all problems, ensuring the security and stability of the contract.
Issues related to configuration found by TonBit audit:
Solution: Modify parameter configuration
2. Hackers use wallets to display controllable comment information to mislead users
Date: May 10, 2024
Amount lost: 22,000 TON
Root cause: The comment information displayed by the wallet during transactions may mislead users
describe:
Although comments can be added when processing transfers messages in Ton, the UI design of some wallets when displaying these comments has the potential risk of misleading. This design flaw is exploited by hackers. By manipulating the comments of transfers messages, hackers can display false information to users during transactions, thereby committing fraud, causing users to make mistakes and causing financial losses.
Solution:
To solve this problem, wallet applications need to add eye-catching annotations when displaying this information to remind users that this content is not credible. In addition, the wallet development team should improve the UI design to ensure the transparency and reliability of transaction information display. At the same time, users also need to improve their ability to distinguish and be wary of suspicious transaction information.
Further measures:
TonBit recommends that wallet development teams introduce a multi-layer verification mechanism when displaying transaction annotation information, such as source verification of annotation information to ensure the reliability of information. In addition, regular user education and security tips should be issued to help users identify and prevent potential fraud. By combining technical means and user education, the occurrence of such security incidents can be effectively reduced.
3. BookPad used a backdoor contract to defraud funds and then ran away with the money
Date: April 15, 2024
Amount lost: 74,424 TON
Root cause: BookPad used a backdoor contract to suck user funds and then ran away
describe:
BookPad released a backdoored and closed smart contract to start pre-sale activities. After receiving enough funds, they used the backdoor in the contract to withdraw funds and then quickly ran away with the money.
Solution:
To prevent similar incidents from happening again, users should collect as much information as possible about the project before participating in any investment activities of any project, and choose projects that are open source and have undergone strict security audits.
TonBit recommends that users pay special attention to the following points:
1. Open source project: Confirm that the smart contract code is open source, so that independent security experts can review it to ensure that there are no hidden vulnerabilities or malicious code.
2. Security Audit: Choose projects that have been audited by well-known security audit institutions. Security audits can find and fix potential vulnerabilities in contracts and provide additional protection.
3. Project background investigation: Investigate the background of the project owner, the reputation and historical records of the team members. Project owners with high transparency and good reputation are more trustworthy.
4. Community feedback: Pay attention to the community’s feedback on the project, participate in discussions, and understand the project’s reputation and potential risks.
Further measures:
TonBit suggests introducing a stricter supervision and audit mechanism in the TON ecosystem to conduct qualification audits on new projects to ensure that they meet security standards. In addition, a public contract code base can be established, and only audited contracts can be used. This will greatly reduce the risk of user funds being stolen and improve the security and credibility of the entire TON ecosystem.
5 How Users Can Stay Safe on TON and Telegram
As the TON and Telegram ecosystems have grown rapidly, with more than 38 million active accounts today, the attention that comes with it also brings greater risks.
Scammers and malicious actors are targeting the influx of new users, and even in the safest ecosystems, it’s still crucial to stay vigilant and aware of potential risks. Here are the most common scams you need to watch out for.
5.1 Common fraud methods
1. Friends in urgent need of help: Scammers may impersonate friends or family members and urgently request funds. Please verify their identity.
2. Phishing websites: Fake websites imitate real websites and steal login information. Check the URL and avoid clicking on unknown links.
3. Investment scams: These scams are very common in the cryptocurrency space, promising high returns but without proof. Research thoroughly; if it sounds too good to be true, it probably is.
4. Fake surveys: offering rewards for participating in surveys to steal personal information. Avoid providing details to unknown surveyors.
5. Fake job opportunities: Attractive job ads that require personal information, app downloads, or payment. Verify through official channels.
6. Classifieds scam: Fake ads direct you to fake Telegram bots to steal information.
7. Pump and Dump: Groups manipulate cryptocurrency prices to profit, causing others to lose money. Always research and verify investment advice.
8. Romance scams: Online relationships where scammers ask for money or personal information. Be wary of requests for money from people you meet online.
5.2 Beware of the Toncoin pyramid scam
Telegram’s support for the TON blockchain has unfortunately attracted scammers who have sought to take advantage of unsuspecting users. Here’s a detailed breakdown of the scam:
1. Set up: Scammers send links to “exclusive money-making schemes” that appear to come from friends or contacts. They direct users to join an unofficial Telegram bot that they claim is for storing cryptocurrency.
2. Investment: Users are instructed to purchase Toncoin through legitimate channels such as wallets, P2P pasars, or cryptocurrency exchanges. This adds false credibility. Once purchased, users must transfer their Toncoin to the scam bot.
3. Accelerators: Victims are forced to purchase “accelerators” through a separate bot for a fee ranging between 5 and 500 Toncoin. During this phase, users lose their cryptocurrency.
4. Recruitment: The scammers promote a referral program, asking users to create a private Telegram group and invite friends. They promise a fixed payment of 25 TON for each referral and a commission based on the accelerator purchased by the referral.
In fact, this is a typical pyramid scheme. The scammers make money while others lose their investment capital.
5.3 How to avoid online fraud
To protect yourself from online scams and keep your Telegram account secure, follow these basic steps:
1. Enable two-step verification for Telegram: Go to Settings > Privacy and Security > Two-step verification to add an extra layer of security to your account.
2. Verify the contact: Be wary of unsolicited messages, especially those requesting personal information or funds. Confirm the sender’s identity through other means.
3. Check your Telegram account activity regularly: Go to Settings > Devices > Active sessions to check if there are any unknown devices or sessions in your account.
4. Report suspicious activity: If you encounter fraudulent activity, please report it to Telegram.
5. Avoid get-rich-quick schemes: Be wary of these schemes, even if they are recommended by friends or family, they may also be victims.
6. Do not transfer cryptocurrencies to unknown wallets: Before transferring cryptocurrencies, always verify the identity of the recipient to avoid being scammed.
Staying safe with TON and Telegram requires vigilance and awareness. By identifying common scams and following these safety tips, you can protect your assets and personal information. Always verify sources, be skeptical of offers that seem too good to be true, and only transact through official channels. Stay informed and cautious, and you’ll be able to enjoy the benefits of TON and Telegram without falling victim to a scam!
6. Ringkasan
The reason to choose TON is to recognize the ecosystem of Telegram itself. Deploying your Web3 project on TON can take advantage of Telegrams huge user base, with more than 700 million monthly active users. This integration provides a fertile environment for decentralized applications to thrive. TonBit is committed to providing comprehensive security for the TON ecosystem, helping projects achieve higher security standards and user trust. As the security guardian of the TON ecosystem, TonBit will continue to work hard to contribute to the development of blockchain technology.
Full report link: https://tonbit.xyz/reports-page
This article is sourced from the internet: TonBit Report: 2024 TON Ecosystem Panoramic Observation and Security Research Report
Original | Odaily Planet Daily ( @OdailyChina ) Author: Golem ( @web3_golem ) Odaily Planet Daily takes stock of the airdrop projects that can be claimed from July 30 to August 10, and also organizes and introduces the newly added interactive projects/tasks and important airdrop information during this period. For detailed information, see the text. Matr1x Project and air investment qualification introduction Matr1x is a metaverse brand with three self-developed games, namely Matr1x FIRE (first-person shooter), Matr1x WAR (shooter + MMORPG) and Matr1x EVOLUTION (SOC). The project announced on August 5 that it would open the first phase of MAX airdrop rewards. Users holding high-quality Matr1x Pioneer Badge NFTs can redeem 800 MAX for each NFT, and a total of 10 million MAX rewards will be distributed according to the…